Docker containers aren't safe enough to run untrusted code, there are privilege escalation vulnerabilities reported fairly often.

curt15 7 hours ago | parent | next [-]

The common wisdom used to be that containers are not a security boundary. Is that still the case?

I don't think bubblewrap is any better in that regard.

	▲	purplehat_ 11 hours ago \| parent \| next [-]
		Why do you say that? Bubblewrap is a it's a very minimal setuid binary. It's 4000 lines of C but essentially all it does is parse your flags ask the kernel to do the sandboxing (drop capabilities, change namespaces) for it. You do have to do cgroups yourself, though. It's very small and auditable compared to docker and I'd say it's safer. If you want something with a bit more features but not as complex as docker, I think the usual choices are podman or firejail.
	▲	exceptione 11 hours ago \| parent \| prev [-]
		bwrap just works in rootless mode and doesn't tamper with your firewall.